As part of our onboarding process we're requiring enrollment in an MDM solution and corporate ownership. In my testing, the user experience is poor because the user has to wait for ClearPass to sync with the 3rd party MDM solution before it populates the endpoint attributes and can use them for decision making during onboard authorization. I've set the Endpoint Context Server polling interval to 15 minutes to make the wait less for the user, but it's still not ideal. It also creates confusion because more than likely the user has to reconnect to the SSID and hit the onboarding captive portal again.
From what I can tell, when ClearPass polls MDM, it compares its local endpoints with those in enrolled in MDM. It will update any attributes in the endpoint that have changed in MDM. It doesn't appear to do a full device download from MDM and keep in a local cache, regardless of the device existing in the endpoint repository. If this were done, as soon as a device was profiled and put in the endpoint repository, its MDM attributes would populate. This is ideal in order to avoid waiting for clients that have previously enrolled in MDM and just need to onboard.
I'm just guessing this is how it works based on all the testing I've done, but am interested to know if anyone knows for sure. Is there any way to avoid waiting for ClearPass to poll the context server for endpoint attributes to make the onboarding process easier?